Dependencies and package managers

Here are some tips for dealing with the necessary evil.

Explicitly declare and isolate dependencies

Start with identifying dependencies. Avoid assuming, begin experimenting instead. Run diagnostics and document the results. Start simple as early as you can:

• list linked libraries
• check compiler and OS version
• understand the developer tools (IDE, LSPs, linters etc.)

Isolate dependencies using virtualisation:

• virtual machines
• containers
• virtual runtime environments - Python virtualenv

Never rely on implicit existence of system-wide packages - 12factor.net

Packaging your app into a container and trying to reduce the image size is a helpful exercise. It allows you to identify all the files your app depends on. Please read this well-documented journey of the process.

Trust

Managing dependencies relies heavily on trust. Most package managers do not support decentralized package hosting for a reason. Packages may become abandoned over time, but the concern lies not only in availability, but in security too. Centralized systems exist to ensure this.

Of course using a centralised service is a potential risk too. The question is which organisation do we trust, and what can we do to mitigate the risk.

Source code vs binary

One way to mitigate risk is by backing up dependencies. The are two options here: saving artifacts such as binaries and config files, or saving the source code. Whenever feasible, do both.

Prepare potential replacements

Another strategy is to prepare potential replacements for certain dependencies. Try building your software on different Linux distribution, compiler, try to swap the key libraries with alternatives.

Identify key dependencies

In most cases we do not have the resources required to build everything from scratch or apply every security update manually. We need to do an evaluation first: identify the software that provides the core value of the product. For embedded systems this unfortunately includes a lot of software: bootloader, os kernel, etc.

Embedded firmware: Build from scratch

• baremetal - single repo
• rtos - still single repo, include os sources
• linux - distro generators + custom userspace sw

Embedded firmware: Build OS from scratch but pull packages from a feed

• elbe
• debian debootstrap

App development: OS level package managers

• build custom packages, declare dependencies
• may rely on implicit existence of system packages

App development: Application level package managers

Purpose:

• declare compile time dependencies
• declare runtime dependencies
• isolate dependencies (eg. virtualenv)

Features:

• offline package installation
• remote artifact repository
• multi-arch support
• custom build steps

Monorepos and Polyrepos

Where to put your dependencies?

Pros:

• simple versioning - everything is in one place
• system configuration (what is the latest stable version of a component) managed centrally

Cons:

• deal with git submodules - clone recursive, submodule update, etc.

Challenges

Monorepo involves mostly challenges around scaling the organization in a single repo. Polyrepo involves mostly challenges with coordination.

Transition

Splitting one repo is easier than combining multiple repos.

Combine polyrepos with a package manager

Specify all system component versions in a repository as code.

• monorepo coordinates the full system build
• can have components as submodules
• don’t need to manage a full dependency graph for the system
• CI tests only the working configuration

Combine polyrepos with a repo management tool

man repo